tb-updater signature/install confirmation screen usability review

Information

ID: 104
PHID: PHID-TASK-6bgxtxwl7czjom6stcuw
Author: Patrick
Status at Migration Time: resolved
Priority at Migration Time: Normal

Description

Due to lots of recent #tb-updater security enhancements (T88 T95 T96 T98 T103), tb-updater needs a usability review.

Here is a screenshot of the old, usual update confirmation screen. Unchanged except for previously asking “Install now?” it’s not asking “Download now?”.

{F22}

To increase security (assisted detection of downgrade or indefinite freeze attack), a new signature/install confirmation screen has been introduced. It will be shown after update confirmation screen and after download. Here is a screenshot how it’s looking for now.

{F24}


If you are wondering if these two screens should be combined. I think probably not. Because the first screen is shown before download (after parsing https://www.torproject.org/projects/torbrowser/RecommendedTBBVersions that can only be verified by https). And the second screen is shown after actual file downloads and gpg verification, before installation.


  1. As you can see, it starts with showing again currently installed version and downloaded version. Should be simple so far.

  2. It goes on with a signature_freshness_msg. What is a “last known signature”. tb-updater after (first) successful installation will store the creation date of the gpg signature that signed the tbb file. In subsequent runs, it compares the known gpg signature date with the creation date of the new gpg signature that signed the new tbb file. Depending on that, tb-updater attempts to give useful advice to the user. That message could contain three different messages.

signature_freshness_msg="Downloaded signature is newer than last known signature. Looks alright."

signature_freshness_msg="Downloaded signature is older than last known signature. You are likely victim of a downgrade attack, SAY NO NOW!"

signature_freshness_msg="Downloaded signature has same creation date as last known signature. \
Unless you are re-installing the same version, you could be victim of an indefinite freeze attack."
  1. It goes on with the signature creation dates. “Previous Signature Creation Date” is the signature creation date of the gpg signature that we stored in a previous run. “Current Signature Creation Date” is the creation date of the signature we just downloaded. Maybe those terms should be renamed? “Current System Date” is just what it says. (But frozen, that clock won’t move while looking at that window.) The user could also just have a look at its system clock in the taskbar. So maybe “Current System Date” should be removed?

  2. Currently the last text block is the signature_creation_msg. Depending on the local clock of the system (that could be far in past or future on broken systems), tb-updater tries to give useful advice. signature_creation_msg could take 4 different values depending on the state that tb-updater concluded. Examples.

signature_creation_msg="<b>Your clock might be slow.</b> $clock_hint
According to your system clock, signature was created 20 minutes before current time.
You can probably ignore this, because it still is within range. (Okay up to 30 minutes before.)"

signature_creation_msg="<b>Your clock might be slow.</b> $clock_hint
According to your system clock, signature was created 5 days, 5 hours, 45 minutes and 34 seconds before current time."

signature_creation_msg="Signature looks quite old already.
Either,
- your clock might be fast (at least 4 months, 4 hours and 24 seconds fast). $clock_hint
- there is really no newer signature yet. Signature is really older than 3 months, 2 weaks, 5 hours and 43 seconds. already. (Older than 3 months.)
- this is a tb-updater bug
- this is an attack"

signature_creation_msg="According to your system clock, signatures was created 2 days, 8 hours, 40 minutes and 12 seconds ago."

Questions:

Any suggestions for better wording of the existing components?

Should the ordering of the se components be changed?

Anything else?


function tb_confirm_install:


(Added everyone to cc who came first to my mind who might have suggestions on how to phrase these things. If you’re not interested in this ticket, please just un-cc.)

Please try to keep discussion in this ticket on the usability ticket. In case security/code should be discussed, please reopen one of the existing closed tickets or open a new one.

Comments


Linostar

2015-01-21 19:52:47 UTC


Patrick

2015-01-22 18:35:56 UTC


Linostar

2015-01-22 19:01:57 UTC


Patrick

2015-01-22 19:09:24 UTC


Linostar

2015-01-22 19:39:54 UTC


Patrick

2015-01-22 22:38:03 UTC


Linostar

2015-01-23 06:43:57 UTC


Patrick

2015-01-23 13:26:53 UTC


Linostar

2015-01-23 13:37:50 UTC


Patrick

2015-01-24 03:09:58 UTC


Patrick

2015-01-29 07:15:44 UTC


Linostar

2015-01-29 12:28:32 UTC


Patrick

2015-01-29 12:52:53 UTC


Patrick

2015-01-29 12:56:41 UTC


Patrick

2015-01-29 13:02:58 UTC


Patrick

2015-01-29 13:54:55 UTC


Patrick

2015-01-29 13:59:06 UTC


Patrick

2015-01-29 14:30:00 UTC


Patrick

2015-01-29 14:39:43 UTC


Patrick

2015-01-29 17:37:55 UTC


Patrick

2015-01-30 12:27:39 UTC


Linostar

2015-01-30 13:07:21 UTC


Patrick

2015-01-30 14:09:31 UTC


Patrick

2015-01-30 22:06:40 UTC


Patrick

2015-02-04 19:47:12 UTC


Patrick

2015-02-10 03:54:18 UTC


Patrick

2015-02-11 18:18:37 UTC


Patrick

2015-02-12 10:40:25 UTC